Centraleyezer Shell Upload

2019.11.16

Credit: Omayr Zanata

Risk: High

Local: No

Remote: Yes

CVE: CVE-2019-12271

CWE: CWE-264

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Centraleyezer: Unrestricted File Upload -[CVE-2019-12271]
Sandline Centraleyezer (On Premises) allows unrestricted File Upload with a dangerous type, because the feature of adding “.jpg” to any uploaded filename is not enforced on the server side.
The image upload is vulnerable to bypass, the file upload adds .jpg extension to every file sent, but on client side, so I could intercept the request and change it to .php. I uploaded a simple shell and was able to execute commands as user www-data on the server.
more information:
https://link.medium.com/Y2S4ZJbMy1

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Centraleyezer Shell Upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.